Coders Rights at Risk in the European Parliament

Coders have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, coders are able to improve security for every user who depends on information systems for their daily life and work.

Yet recently, European Parliamentdebated a new draft of a vague and sweeping computer crime legislation that threatens to create legal woes for researchers who expose security flaws.

The European Parliament discussed the latest agreement between European Parliament and Council of a draft Directive on Attacks Against Information Systems. Earlier this year, EFF told the European Parliament that their initial draft jeopardized coders' rights to conduct essential security research. The current version, while better, still doesn't address this problem.

As currently written, the latest version of the Draft Directive threatens coders’ ability to access information systems for security testing without explicit permission. If the European Parliament moves to enact this provision, researchers who study others’ systems in the course of good faith for legitimate research may become criminals.

Article 3 of the Draft Directive criminalizes intentional access to information systems without prior authorization where the actor infringes a security measure. At the heart of the problem is the directive’s reliance on the concept of accessing information systems “without right,” which is defined as “access, interference, interception, or any other conduct referred to in this Directive, not authorized by the owner, other right holder of the system or part of it, or not permitted under national legislation.”

The vague notion of “unauthorized access” has proved to be troublesome within the United States Computer Fraud and Abuse Act. For example, creative prosecutors and litigants have argued in past cases that merely accessing a computer in violation of terms of use makes access “unauthorized,” and therefore a crime.

That broad interpretation of the law would criminalize a great deal of innocuous activity. As the Ninth Circuit Court of Appeals recently pointed out, “By giving that much power to prosecutors, we're inviting discriminatory and arbitrary enforcement.”

The Directive’s caveat about punishing only activities that infringe a "security measure" is an improvement over previous draft language, and will hopefully ensure that merely violating terms of use can’t amount to unauthorizedaccess. But the vagueness of the term "security measure" creates new problems.

Does a user infringe a “security measure” when she stumbles across files in a hidden but unprotected directory on a website? Or when she changes her IP address to avoid an IP block, even if for valid, legitimate reasons?

Another major problem with the draft directive is Article 7, which criminalizes the production, sale, procurement, import, or distribution of tools used to access systems for committing other offenses. This new article rightly tries to link punishment to malicious intent behind using the tool, rather than simply criminalizing the use, production, sale, or distribution of such tools per se.

By doing so, this article tries to avoid the criminalization of dual-use tools that can be used for bad purposes, but also for desirable security efforts to prevent and deter attacks. However, Article 7 remains problematic because it relies upon the murky definition of access “without right” and uses Article 3 as a reference for defining criminal intent, which, as we explained above, is vague.

Another improvement is that the directive seeks to limit criminal punishment to cases that are “not minor.” However, the directive fails to explain what "minor" means in the text itself, leaving the option open for member states to define the term as they see fit.

According to the directive’s present wording, maximum penalties for offenses (including distributing tool software) are at least 2 years of imprisonment, 3 years when using botnets and 5 years when committed in the context of organized crime, causing serious damage, or committed against a critical infrastructure.

Security researchers are a crucial part of any effective security strategy. Unfortunately, this directive creates a very real possibility that they may face serious criminal punishments for their work, which creates a strong disincentive for them to do it.

While the directive’s legally non-binding recitals suggest a number of safeguards, including human rights, security testing, it is troubling that those protections are not included in the articles themselves.

The European Union should implement a target-hardening strategy to provide strong incentives and support for security researchers to identify and disclose vulnerabilities and motivate providers to quickly issue patches and updates.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.